b"Department of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\n  REVIEW OF THE FOOD AND DRUG\n   ADMINISTRATION\xe2\x80\x99S COMPUTER\n     MONITORING OF CERTAIN\n        EMPLOYEES IN ITS\n     CENTER FOR DEVICES AND\n      RADIOLOGICAL HEALTH\n\n\n\n\n                    Daniel R. Levinson\n                     Inspector General\n\n                      February 2014\n                      OIG-12-14-01\n\x0c                Office of Inspector General\n                                 http://oig.hhs.gov\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services\n(HHS) programs, as well as the health and welfare of beneficiaries served by those\nprograms. This statutory mission is carried out through a nationwide network of audits,\ninvestigations, and inspections conducted by the following operating components:\n\nOffice of Audit Services\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits\nexamine the performance of HHS programs and/or its grantees and contractors in carrying\nout their respective responsibilities and are intended to provide independent assessments of\nHHS programs and operations. These assessments help reduce waste, abuse, and\nmismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide\nHHS, Congress, and the public with timely, useful, and reliable information on significant\nissues. These evaluations focus on preventing fraud, waste, or abuse and promoting\neconomy, efficiency, and effectiveness of departmental programs. To promote impact, OEI\nreports also present practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations\nof fraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources\nby actively coordinating with the Department of Justice and other Federal, State, and local\nlaw enforcement authorities. The investigative efforts of OI often lead to criminal\nconvictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to\nOIG, rendering advice and opinions on HHS programs and operations and providing all\nlegal support for OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and\nadministrative fraud and abuse cases involving HHS programs, including False Claims Act,\nprogram exclusion, and civil monetary penalty cases. In connection with these cases, OCIG\nalso negotiates and monitors corporate integrity agreements. OCIG renders advisory\nopinions, issues compliance program guidance, publishes fraud alerts, and provides other\nguidance to the health care industry concerning the anti-kickback statute and other OIG\nenforcement authorities.\n\x0c                                             Table of Contents\n\nEXECUTIVE SUMMARY ..................................................................................................... 2\nREVIEW OF THE FOOD AND DRUG ADMINISTRATION\xe2\x80\x99S COMPUTER\nMONITORING OF CERTAIN EMPLOYEES IN ITS CENTER FOR DEVICES AND\nRADIOLOGICAL HEALTH .................................................................................................. 5\nI.      FDA\xe2\x80\x99S COMPUTER MONITORING ......................................................................... 5\n          Events Prior to Computer Monitoring ....................................................................... 6\n          The Decision To Monitor Scientist 1 ......................................................................... 8\n          Monitoring Software Used by FDA ......................................................................... 10\n          Computer Monitoring of Scientist 1 Begins ............................................................ 11\n          The Interim Report of Investigation ........................................................................ 12\n          Computer Monitoring of Additional Scientists Begins ........................................... 13\n          Procedures Used During FDA\xe2\x80\x99s Computer Monitoring .......................................... 14\n          FDA Consultations With OGC ................................................................................ 15\n          CDRH Takes Action as a Result of Monitoring ...................................................... 15\nII.     FINDINGS .................................................................................................................. 16\nIII.    RECOMMENDATIONS ............................................................................................ 18\nIV.      DEPARTMENT RESPONSE .................................................................................... 20\nAPPENDIX A: Methodology............................................................................................... 21\nAPPENDIX B: CDRH and the Premarket Application Process .......................................... 22\nAPPENDIX C: Applicable Legal Criteria............................................................................ 23\n          Reasonableness of a Computer Search .................................................................... 23\n          Interception of Electronic Communications ............................................................ 24\n          The Whistleblower Protection Act........................................................................... 25\n          Prohibitions on the Disclosure of Information by FDA Employees ........................ 25\nAppendix D: Department Comments ................................................................................... 27\n\n\n\n\n                                                                                                                       1|Page\n\x0cEXECUTIVE SUMMARY\n\n        On July 14, 2012, The New York Times reported on computer monitoring by the Food and\nDrug Administration (FDA) of certain scientists in FDA\xe2\x80\x99s Center for Devices and Radiological\nHealth (CDRH). On July 20, 2012, the Secretary of the U.S. Department of Health and Human\nServices (HHS) wrote to HHS\xe2\x80\x99s Office of Inspector General (OIG), asking it to consider whether\nthere was a sufficient basis to conduct the monitoring; to consider whether the methods of\nmonitoring were appropriate; and to provide recommendations on how HHS can appropriately,\neffectively, and efficiently investigate allegations of improper dissemination of confidential\ninformation while protecting employees\xe2\x80\x99 rights and whistleblower protections.\n        Between April 2010 and October 2011, the FDA used computer-monitoring software on\nthe FDA computers of five CDRH scientists. FDA suspected that these employees were sending\ntrade secrets or confidential commercial information (CCI) outside FDA in possible violation of\nFDA regulations and criminal statutes; FDA also was aware that these employees may have held\nwhistleblower status. During the time immediately prior to and during the computer monitoring,\nFDA computer systems displayed a log-on banner that stated that users had no right of privacy in\nthe system and that all data on the system may be monitored; however, FDA had no policy\ngoverning the approval or conduct of such monitoring.\n        During 2009 and 2010, several newspaper articles referenced or quoted internal CDRH\nmemorandums. One such article, published in The New York Times on March 28, 2010,\nreferenced a confidential GE Healthcare submission to CDRH and quoted CDRH employee\nScientist 1. 1 Soon after, FDA received a complaint letter from counsel representing GE\nHealthcare that alleged that its CCI had been disclosed to the press by CDRH in violation of\nFederal regulations and agency policy and asked FDA to investigate. CDRH management\nstrongly suspected that Scientist 1 was the source of the information in the article because,\namong other reasons, he was quoted in the article. CDRH management also suspected that\nScientist 1 was inappropriately ghostwriting reports for his subordinates.\n       CDRH\xe2\x80\x99s Director tasked CDRH\xe2\x80\x99s Executive Officer with finding out what options were\navailable to identify the source of the disclosure to The New York Times and to prevent future\nunauthorized disclosures. In order to accomplish this, the CDRH Director instructed the CDRH\nExecutive Officer to engage with FDA\xe2\x80\x99s Assistant Commissioner for Management and/or with\nFDA\xe2\x80\x99s Chief Information Officer (CIO). After the CDRH Executive Officer met with both the\n\n1\n  OIG has redacted the names of the five scientists subject to computer monitoring since they may have been entitled\nto protections under the Whistleblower Protection Act, even though their names already are known to the\nDepartment. In an abundance of caution and in an effort to avoid the appearance of disclosing the names of\nwhistleblowers, we refer to them as Scientists 1 through 5.\n\n                                                                                                       2|Page\n\x0cAssistant Commissioner for Management and the CIO, the CIO, in conjunction with the Chief\nInformation Security Officer (CISO), proposed investigating the leaks using computer-\nmonitoring technology. Office of Information Management (OIM) staff arranged to begin\nmonitoring Scientist 1\xe2\x80\x99s computer and chose the monitoring tools that were used.\n        OIM staff chose two computer monitoring tools to investigate Scientist 1. They used\nEnCase to image (or copy) the memory of Scientist 1\xe2\x80\x99s FDA computer, which, at times, included\npersonally owned removable memory drives connected to the FDA network. OIM staff also\nchose SpectorSoft (Spector) and installed it on Scientist 1\xe2\x80\x99s computer. Spector captures: (1)\nscreen shots of a user\xe2\x80\x99s computer every few seconds and (2) the user\xe2\x80\x99s keystrokes, including\nkeystrokes used to enter passwords.\n        Using a short list of search terms developed by CDRH\xe2\x80\x99s Executive Officer, OIM staff\nreviewed the screen shots taken of Scientist 1\xe2\x80\x99s computer for potential indications of\nunauthorized disclosures outside FDA or ghostwriting. Because Spector takes screen shots of\nthe information displaying on a user\xe2\x80\x99s computer every few seconds, OIM staff could not scope\nSpector to capture only information relevant to the issues CDRH wanted investigated; rather,\nOIM staff manually reviewed the tens of thousands of screenshots after they were taken by\nSpector to cull out those that appeared relevant to certain search terms concerning unauthorized\ndisclosures and ghostwriting. Accordingly, while we found no evidence that FDA used Spector\nto target specifically the scientists\xe2\x80\x99 communications with any particular person or group, such as\nMembers of Congress or the media, it is precisely because Spector broadly captured information\nthat the scientists\xe2\x80\x99 communications with such persons were captured.\n       Partly on the basis of information discovered while monitoring Scientist 1\xe2\x80\x99s computer,\nCDRH management directed OIM staff to expand Spector and EnCase monitoring to include\nfour additional CDRH scientists. We found no evidence that during the computer monitoring,\nOIM staff logged into any FDA user\xe2\x80\x99s computer in order to gain live access as a user of the\ncomputer or attempt to log into any FDA user\xe2\x80\x99s personal Web-based email accounts. While\nSpector captures by default the user\xe2\x80\x99s keystrokes\xe2\x80\x94including keystrokes used to enter\npasswords\xe2\x80\x94we found no evidence that anyone at FDA, CDRH, or OIM ever accessed Spector\xe2\x80\x99s\nkeystroke logs, where such information resides.\n        As a result of the computer monitoring, CDRH concluded it had developed evidence that\ncertain employees had disclosed CCI. In the spring of 2011, CDRH wrote to several companies\nthat had submitted confidential materials to CDRH to inform them that it had determined that an\nemployee had made, via email, unauthorized disclosures of their CCI in July or August 2010.\n       On the basis of its review, OIG found that despite the reasonableness of CDRH\xe2\x80\x99s\nconcerns and the explicit language in FDA\xe2\x80\x99s network log-on banner, CDRH failed to fully assess\nbeforehand, and with the timely assistance of legal counsel, whether the scope of potentially\n                                                                                        3|Page\n\x0cintrusive EnCase and Spector monitoring would be consistent with constitutional and statutory\nlimitations on Government searches and consistent with whistleblower protections. OIG\nrecommends that HHS ensure that its operating divisions draft and implement policies and\nrelated procedural internal controls that provide reasonable assurance of compliance with laws\nand regulations, particularly those governing current and prospective employee monitoring. In\nSeptember 2013, FDA issued an interim computer-monitoring policy that addresses our\nrecommendations.\n\n\n\n\n                                                                                      4|Page\n\x0cREVIEW OF THE FOOD AND DRUG ADMINISTRATION\xe2\x80\x99S COMPUTER\nMONITORING OF CERTAIN EMPLOYEES IN ITS CENTER FOR DEVICES AND\nRADIOLOGICAL HEALTH\n\n        This review responds to the Secretary\xe2\x80\x99s letter dated July 20, 2012, asking the Office of\nInspector General (OIG) to review the monitoring of electronic communications of certain\nemployees in the Food and Drug Administration (FDA) Center for Devices and Radiological\nHealth (CDRH). Specifically, the Secretary asked OIG to consider whether there was a\nsufficient basis to conduct the monitoring; to consider whether the methods of monitoring were\nappropriate; and to provide recommendations on how the U.S. Department of Health and Human\nServices (HHS) can appropriately, effectively, and efficiently investigate allegations of improper\ndissemination of confidential information while protecting employees\xe2\x80\x99 rights and whistleblower\nprotections.\n        The Secretary\xe2\x80\x99s request refers to the computer monitoring of five individuals at CDRH\nthat began on April 22, 2010, when FDA installed SpectorSoft monitoring software (Spector) on\nthe Government-issued computer of Scientist 1. FDA subsequently expanded its monitoring to\nthe Government-issued computers of Scientist 2, Scientist 3, Scientist 4, and Scientist 5. FDA\nalso used a product called EnCase to remotely take forensic data images of the individuals\xe2\x80\x99\ncomputer and network memory. Although FDA monitored each individual\xe2\x80\x99s computer usage for\nvarying lengths of time, FDA had ended its monitoring of all five individuals by October 9,\n2011.\n       This review is organized into four sections. Section I summarizes events that led to the\ncomputer monitoring and FDA\xe2\x80\x99s conduct of the monitoring, Section II presents OIG\xe2\x80\x99s findings,\nand Section III provides OIG\xe2\x80\x99s recommendations. Section IV presents the Department\xe2\x80\x99s\nresponse. Appendixes cover OIG\xe2\x80\x99s methodology, CDRH and the premarket application (PMA)\nprocess for medical devices, the legal criteria relevant to the disclosure of information by Federal\nemployees and computer monitoring of Federal employees, and the Department\xe2\x80\x99s comments.\n\nI.     FDA\xe2\x80\x99S COMPUTER MONITORING\n\n        This narrative of the facts and events leading to FDA\xe2\x80\x99s computer monitoring, the\ndeliberation and authorization by FDA management relating to the computer monitoring, and\nFDA\xe2\x80\x99s conduct of the monitoring is the result of the interviews and the document review\ndescribed in Appendix A. Our review uncovered few inconsistencies among the information\nprovided by interviewees and obtained from documentation, but where there was ambiguity or\nconflict, we note it.\n\n\n                                                                                         5|Page\n\x0c      During the time immediately prior to and during the computer monitoring, FDA used a\nnetwork log-on banner, which appeared each time an employee logged onto his or her computer,\nprompting the employee to press \xe2\x80\x9cOK\xe2\x80\x9d to continue. 2 It read:\n         This is a Food and Drug Administration (FDA) computer system and is provided\n         for the processing of official U.S. Government information only. All data\n         contained on this computer system is owned by the FDA and may, for the purpose\n         of protecting the rights and property of the FDA, be monitored, intercepted,\n         recorded, read, copied, or captured in any manner and disclosed by and to\n         authorized personnel. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED\n         OR UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING,\n         INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING\n         AND DISCLOSURE. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM.\n         Authorized personnel may give to law enforcement officials any potential\n         evidence of crime found on FDA computer systems. Unauthorized access or use\n         of this computer system and software may subject violators to criminal, civil,\n         and/or administrative action. The standards of ethical conduct for employees of\n         the Executive Branch (5 C.F.R. \xc2\xa7 2635.704) do not permit the use of government\n         property, including computers, for other than authorized purposes.\n\nEvents Prior to Computer Monitoring\n\n        On January 13, 2009, The New York Times published an article that included potentially\nconfidential information from a then-pending 510(k) submission 3 for a mammography computer-\naided detection device from device manufacturer iCAD. 4 CDRH officials stated that these\ndisclosures were not authorized. Therefore, the disclosures would have been in violation of FDA\nregulations. 5 According to information iCAD provided to FDA by letter dated that same day\n(the iCAD Letter), the article\xe2\x80\x99s author informed the company that he had received \xe2\x80\x9cinternal FDA\ndocuments\xe2\x80\x9d regarding the device from \xe2\x80\x9cscientific officers of the FDA.\xe2\x80\x9d The iCAD Letter\nenclosed copies of two January 8, 2009, news articles by the Associated Press and The Wall\nStreet Journal that reported on a letter sent by a group of FDA scientists to then President-Elect\nBarack Obama\xe2\x80\x99s transition team complaining that the scientific review process for medical\ndevices at FDA had been corrupted and distorted by FDA managers and singling out\n2\n  FDA since has updated the language in its log-on banner to meet OIG recommendations.\n3\n  CDRH\xe2\x80\x99s PMA process, and the 510(k) process in particular, are described in Appendix B.\n4\n  Gardiner Harris, In F.D.A. Files, Claims of Rush to Approve Devices, The New York Times (Jan. 13, 2009).\n5\n  Several statutory and regulatory provisions limit the ability of FDA employees to share agency information with\nothers outside the agency and are discussed in detail in Appendix C. They include 18 U.S.C. \xc2\xa7 1905 (Federal\ncriminal statute generally limiting disclosures), 21 U.S.C. \xc2\xa7\xc2\xa7 331(j) and 333 (additional criminal provisions in the\nFederal Food, Drug, and Cosmetic Act that prohibit disclosure of trade secrets (but not confidential business\ninformation) submitted to FDA in accordance with FDA approval processes), and 21 CFR \xc2\xa7 814.9 (FDA disclosure\nrestrictions with respect to PMAs).\n\n\n\n                                                                                                         6|Page\n\x0cmammography computer-aided detection devices as an example of a technology that should not\nhave gone forward. The iCAD Letter pointed out that The New York Times, and possibly other\nmedia outlets, had obtained material relating to 510(k) submissions on mammography computer-\naided detection devices. The New York Times article quoted from an internal agency\nmemorandum regarding the pending review of another firm\xe2\x80\x99s premarket 510(k) submission. The\nquoted memorandum was a consultation review memorandum on the 510(k) submission that had\nbeen drafted on March 14, 2008 (and updated on March 26, 2008), by CDRH personnel and\naddressed to, among others, Scientist 1.\n        On October 1, 2009, the Acting Director of CDRH and other CDRH staff participated in\na telephone interview with Wall Street Journal reporter Alicia Mundy, who had co-authored the\nJanuary 8, 2009, article enclosed with the iCAD letter. During the call, Ms. Mundy quoted an\ninternal FDA 510(k) reviewer memorandum that contained what CDRH believed to be CCI, the\ndisclosure of which is restricted by regulation, or potential trade secrets, the unauthorized\ndisclosure of which may have constituted violations of criminal statutes. 6 The CDRH Freedom\nof Information Act (FOIA) officer later confirmed that this particular reviewer memorandum had\nnot been requested or released under FOIA.\n        On October 1, 2009, CDRH requested an audit of its internal electronic imaging system,\nIMAGE, to determine which employees had accessed the files containing the disclosed materials.\nThe audit identified Scientist 1 as the only person who had accessed the particular files without a\nvalid reason.\n        On March 28, 2010, The New York Times published another article on FDA\xe2\x80\x99s 510(k)\nprocess, which described allegations that FDA downplayed the risks of radiation exposure when\nconsidering applications for the approval of certain uses of radiological devices. The article\nstated that \xe2\x80\x9ca group of agency scientists who are concerned about the risks of CT scans say they\nwill testify at [an FDA meeting on how to protect patients from unnecessary radiation exposure]\nthat FDA managers ignored or suppressed their concerns.\xe2\x80\xa6\xe2\x80\x9d The article reported that General\nElectric (GE) had submitted a 510(k) application and referenced \xe2\x80\x9c[s]cores of internal agency\ndocuments made available to the New York Times\xe2\x80\x9d pertaining to it. 7 The article quoted\ncomments made in internal FDA communications by Scientist 1 (see note 1 on page 3) and a\nformer CDRH contractor in opposition to the GE submission. The article also mentioned\ninternal discussions from a May 12, 2009, 510(k) premarket review meeting that CDRH believed\nto be privileged.\n\n\n\n6\n    Ibid.\n7\n    Gardiner Harris, Scientists Say F.D.A. Ignored Radiation Warnings, The New York Times (Mar. 28, 2010).\n\n                                                                                                      7|Page\n\x0c        On April 16, 2010, FDA received another complaint letter, this time from counsel\nrepresenting GE Healthcare (the GE Letter). The GE Letter expressed disappointment in CDRH\nfor disclosing to the press CCI contained in a 510(k) submission for a GE Healthcare device used\nin CT (computed tomography) colonography screening. The GE Letter asserted that \xe2\x80\x9cCDRH\nwas not permitted to publicly disclose either the existence or the contents of GE Healthcare\xe2\x80\x99s\n510(k) submission, so in disclosing this information, CDRH breached the confidentiality of GE\nHealthcare\xe2\x80\x99s submission in violation of both federal regulations and internal agency policy.\xe2\x80\x9d\nThe GE Letter requested that FDA conduct an investigation of the leak.\n\nThe Decision To Monitor Scientist 1\n\n        According to the CDRH Executive Officer, Scientist 1 was selected for computer\nmonitoring in part because he was named in the March 28, 2010, New York Times article, which\nwas referenced by and enclosed with the GE Letter. (The other FDA scientist named in the\narticle was no longer an employee of CDRH at the time the GE Letter was received.) In\naddition, the audit requested by CDRH on October 1, 2009, of FDA\xe2\x80\x99s internal IMAGE System\nhad identified Scientist 1 as the only person who had accessed the particular files without a valid\nreason.\n        On April 21, 2010, CDRH\xe2\x80\x99s Executive Secretariat brought the GE Letter to the attention\nof CDRH\xe2\x80\x99s Executive Officer, who shared a copy with the CDRH Director. The CDRH Director\ndirected CDRH\xe2\x80\x99s Executive Officer to find what options were available to identify the source of\nthe unauthorized disclosure and to prevent future disclosures. The CDRH Director also told her\nto share the GE Letter with FDA\xe2\x80\x99s Chief Information Officer (CIO) in FDA\xe2\x80\x99s Office of\nInformation Management (OIM) and FDA\xe2\x80\x99s Assistant Commissioner for Management. 8 The\nCDRH Director instructed the CDRH Executive Officer to meet with the Assistant\nCommissioner for Management and/or the CIO to discuss the unauthorized disclosures. The\nCIO, in conjunction with the Chief Information Security Officer (CISO) and others, arranged to\nbegin monitoring Scientist 1\xe2\x80\x99s computer. The CDRH Director was told about this monitoring at\nthe time and approved it. It does not appear that any other response, apart from computer\nmonitoring, was considered.\n        The CISO and the CDRH Executive Officer met with the Team Leader for Incident\nResponse at Chickasaw Nation Industries, Inc. (CNI), (the CNI Team Leader), an information\nsecurity contractor for FDA, to explain CDRH\xe2\x80\x99s concern that Scientist 1 was disseminating\ninformation outside the FDA network. According to the CNI Team Leader, CDRH also was\n\n\n8\n Additional FDA officials, including the Chief Counsel of FDA and the Special Agent in Charge (SAC) of FDA\xe2\x80\x99s\nOffice of Internal Affairs also received copies of the GE Letter.\n\n                                                                                                  8|Page\n\x0cconcerned that Scientist 1 was improperly preparing official CDRH reports in the names of other\nCDRH scientists (or ghostwriting them), on the basis of complaints from the other scientists\xe2\x80\x99\nsupervisors. The group discussed how to implement the CIO\xe2\x80\x99s monitoring directive to\ninvestigate these allegations.\n        At the time, neither HHS, FDA, nor CDRH had implemented a policy governing the\ncomputer monitoring of employees designed to ensure compliance with limits on Government\nsearches of Government employees, such as the Fourth Amendment, the prohibition on\nintercepting electronic communications (Title III of the Omnibus Crime Control and Safe Streets\nAct (Title III)), and the protections in the Whistleblower Protection Act (WPA). 9 The only\nguidance issued by FDA that governed computer monitoring was FDA\xe2\x80\x99s Forensic & Incident\nResponse Procedures Manual, which is a technical document based on technical guidance from\nthe Department of Commerce\xe2\x80\x99s National Institute of Standards and Technology. It does not\nprovide guidance to managers on how to conduct investigations, office searches, or computer\nmonitoring.\n         During the meeting, the CDRH Executive Officer gave the CNI Team Leader a piece of\npaper listing search terms she had developed. This page of notes established the parameters for\nthe initial computer monitoring of Scientist 1. The page read:\n         Search terms:\n         Colonography\n         K followed by a string of numbers 10\n         It is possible that the employee had \xe2\x80\x9cghost written\xe2\x80\x9d for the following employees:\n         [Scientist 3]\n         [Scientist 2]\n         [Scientist 4]\n         [Name Redacted]\n         [Name Redacted]\n         [Scientist 5]\n\n9\n  As described more fully in Appendix C: (1) the Fourth Amendment requires that Government searches of\nGovernment employees be justified in their inception and permissible in scope; (2) Title III establishes criminal\npenalties for the interception of electronic communications absent an applicable exception; and (3) the WPA\nprohibits retaliation against a Government employee for disclosure of evidence of violations of law or regulation,\nwaste and abuse, or a specific danger to the public health. Other statutes, such as the Privacy Act, may also impose\nlimits on such monitoring.\n10\n   \xe2\x80\x9cK followed by a string of numbers\xe2\x80\x9d refers to Premarket Notification filings in accordance with section 510(k) of\nthe Federal Food, Drug and Cosmetic Act, in which such filings are labeled with \xe2\x80\x9cK\xe2\x80\x9d followed by a series of digits.\n\n\n\n                                                                                                        9|Page\n\x0c        The list of employees identified as possible recipients of Scientist 1\xe2\x80\x99s ghostwritten\nmaterial was based on complaints by their supervisors that work they were turning in was not\ntheir own.\n\nMonitoring Software Used by FDA\n\n         Around the same time, the CISO met with the CNI Team Leader to discuss available\nsoftware tools that could be used to carry out the computer monitoring. FDA ultimately chose\ntwo tools to monitor computer usage of the scientists: SpectorSoft (Spector) and EnCase.\nSpector monitors a user\xe2\x80\x99s ongoing computer activity by capturing screen shots at a set interval\n(for example, every 5 or 10 seconds) and recording keystroke data. Spector cannot be used to\nsee a user\xe2\x80\x99s activity in real time; rather, it displays static screen shots that it has captured. The\nCNI Team Leader believed Spector was the best tool to use in this situation because it was\nresponsive to concerns of ongoing data exfiltration. The CNI Team Leader stated it is generally\nimpossible to find evidence of transmissions of data beyond the FDA network that occurred in\nthe past because individuals typically use personal Web-based email to communicate and\ntransmit such data. 11 He also stated that OIM could remotely install Spector on a computer that\nis part of the FDA network without the individual\xe2\x80\x99s knowledge and that Spector would transmit\nits data to the Incident Response team.\n        Spector captures by default the user\xe2\x80\x99s keystrokes\xe2\x80\x94including, but not limited to,\nkeystrokes for passwords. The member of CNI\xe2\x80\x99s Incident Response Team (the CNI Team\nMember) ultimately assigned the computer-monitoring project stated that no one else at CNI\never looked at the keystrokes. Furthermore, he knew that no one at FDA looked at the\nkeystrokes either, because only he was in a position to provide access to the keystroke logs and\nhe never received such a request. The CNI Team Member told OIG that during the monitoring,\nCNI staff never logged into an FDA user\xe2\x80\x99s asset to gain live access as a user of the asset, nor did\nthe CNI Team Member attempt to log into any FDA user\xe2\x80\x99s personal Web-based email accounts.\nSimilarly, the CNI Team Leader told OIG that during the computer monitoring, he and his team\nmembers never physically or remotely controlled anyone else\xe2\x80\x99s computer.\n       Screen shots that CNI identified as showing potential indications of ghostwriting or\nunauthorized disclosures outside FDA were shared with CDRH for further review. CDRH\xe2\x80\x99s then\nAssociate Director, Office of In Vitro Diagnostic Device Evaluation and Safety, was given\nprimary responsibility for reviewing these selected screen shots to look for CCI or trade secrets\n\n\n\n11\n OIM staff told OIG that no tool available to FDA at the time could re-create communications over earlier non-\nFDA Web-based email because Web-based e-mail leaves very few traces behind on a user\xe2\x80\x99s computer.\n\n                                                                                                    10 | P a g e\n\x0cbeing sent outside FDA, because she had subject matter expertise on the medical devices that\nCRDH reviews.\n        EnCase is a retrospective tool that can remotely create a forensic data image of a hard\ndrive or other computing asset. EnCase was not able to easily show whether data that existed on\nan FDA asset had been transmitted beyond the network. However, FDA used EnCase to take an\nimage of the scientists\xe2\x80\x99 computers and network memory several times, usually in an attempt to\nrecover something seen on a Spector screen shot relevant to unauthorized disclosures or\nghostwriting, such as an email attachment that appeared likely to contain CCI. When CDRH\nrequested a document, such as an e-mail attachment, CNI staff used EnCase to recover the file\nand then transferred the attachment and any other files to CDRH via an encrypted FDA USB\nstorage device.\n\nComputer Monitoring of Scientist 1 Begins\n\n       On April 22, 2010, the CNI Team Leader remotely installed Spector on Scientist 1\xe2\x80\x99s\nGovernment-issued laptop. The CNI Team Leader subsequently assigned the project to a\nsubordinate, the CNI Team Member, giving him a page of \xe2\x80\x9cspecifications\xe2\x80\x9d he had drafted\ntogether with the page of search terms drafted by the CDRH Executive Officer. The CNI Team\nMember described them as a text file containing \xe2\x80\x9cdirections and guidance for the FDA task,\xe2\x80\x9d but\nFDA did not provide a copy of the specifications to OIG.\n       On April 23, 2010, FDA\xe2\x80\x99s Assistant Commissioner for Management informed FDA\xe2\x80\x99s\nOffice of Criminal Investigations (OCI) about the GE Letter allegations, and OCI advised that it\nbelieved the issue should be referred to OIG because the individual alleged to have made the\ndisclosure was also involved in a series of ongoing whistleblower/Qui Tam issues with CDRH.\n        OCI opened a case regarding the allegations in the GE Letter on May 14, 2010, and, by\nletter dated the same day, wrote OIG\xe2\x80\x99s then-Assistant Special Agent in Charge of OIG\xe2\x80\x99s Special\nInvestigations Branch requesting that it investigate the allegations in the GE Letter. On May 18,\n2010, OIG responded that it would take no action because the referral lacked evidence of\ncriminal conduct and noting that the disclosures implicated the WPA. 12 In the meantime, FDA\n\n12\n  On June 28, 2010, after Spector had been installed on Scientist 2\xe2\x80\x99s computer and 2 days before it would be\ninstalled on the remaining scientists\xe2\x80\x99 computers, CDRH renewed its request that OIG open an investigation, on the\nbasis of evidence it gathered during its computer monitoring, including \xe2\x80\x9cdocuments suggesting that employees are\nengaged in the inappropriate, and likely illegal, disclosure of nonpublic information.\xe2\x80\x9d In response, OIG opened an\ninvestigation on July 31, 2010, and, after completing its review, presented the matter to the U.S. Department of\nJustice, where prosecutors reviewed the matter and declined prosecution. By letter dated November 15, 2010, OIG\nnotified the CDRH Director that it had closed its investigation, noting that prosecutors declined prosecution and\n\xe2\x80\x9c[y]our office indicated it had developed sufficient evidence to address the alleged misconduct through\nadministrative processes, and as such, no further action will be taken by OIG.\xe2\x80\x9d\n\n                                                                                                     11 | P a g e\n\x0chad already initiated its monitoring of Scientist 1 (OIM installed Spector on Scientist 1\xe2\x80\x99s laptop\non April 22, 2010). 13\n       On May 17, 2010, FDA used EnCase for the first time to obtain a snapshot of the\ncontents of Scientist 1\xe2\x80\x99s computer hard drive and attached external memory devices. For\nexample, CNI staff recalled an EnCase analysis it performed of a non-FDA thumb drive\nbelonging to Scientist 1 that was plugged into an FDA computer. However, it appears EnCase\nalso was used to conduct searches unrelated to anything identified through Spector. Additional\nEnCase snapshots were taken several times before the writing of the Draft OGC Memo.\n\nThe Interim Report of Investigation\n\n        On or about June 3, 2010, the CNI Team Member authored a summary of the computer\nmonitoring captioned \xe2\x80\x9cSubjects of Interest,\xe2\x80\x9d which he transmitted to FDA\xe2\x80\x99s CIO under a cover\nmemo captioned, \xe2\x80\x9cInterim Report of Investigation.\xe2\x80\x9d The cover memo characterized the\nallegations presented to the FDA Security Department as follows:\n        \xe2\x80\xa2   \xe2\x80\x9cGhost writing HIS subordinates\xe2\x80\x99 reports, in particular those surrounding those\n            reports that are identified by the letter \xe2\x80\x98K\xe2\x80\x99 followed by six (6) numbers.\xe2\x80\x9d\n        \xe2\x80\xa2   \xe2\x80\x9c[Scientist 1] communicating with external news sources (press) regarding HIS\n            concerns over the FDA\xe2\x80\x99s approval process of particular medical devices surrounding\n            CT scans and Colonography. This allegation particularly related to Gardiner Harris,\n            reporter for the New York Times.\xe2\x80\x9d\n        The cover memo added that \xe2\x80\x9c[t]he analytical findings to date appear to support the\nallegations, however the review is ongoing and substantial volumes of data are currently being\nculled.\xe2\x80\x9d\n        The report summarized data and communications identified by looking at 2 weeks\xe2\x80\x99 worth\nof Spector screen shots. The report contained four categories of \xe2\x80\x9csubjects\xe2\x80\x9d: primary, secondary,\nancillary, and media outlet. The \xe2\x80\x9cprimary\xe2\x80\x9d subjects were individuals within FDA with the\nhighest frequency of communication regarding improper release of confidential information or\nghostwriting. The \xe2\x80\x9csecondary\xe2\x80\x9d subjects referred to individuals within the agency with\nsubstantive communications about the search term issues at any frequency level. \xe2\x80\x9cAncillary\xe2\x80\x9d\nsubjects referred to individuals outside the agency with any communications about the search\nterm issues and included a Member of Congress and Congressional staff. \xe2\x80\x9cMedia outlet\xe2\x80\x9d\nsubjects referred to members of the media with any communications about the search term\n\n13\n  A draft Office of the General Counsel (OGC) legal memorandum (Draft OGC Memo), discussed more fully\nbelow, mistakenly asserts that CDRH began its computer monitoring of Scientist 1after OIG\xe2\x80\x99s May 18, 2010,\nresponse.\n\n                                                                                                  12 | P a g e\n\x0cissues. This report did not indicate\xe2\x80\x94and we found no evidence\xe2\x80\x94that the monitoring was\nimplemented in a manner specifically designed to capture communications with Congress, as has\nbeen alleged to HHS.\n       The report characterizes the primary subjects (Scientist 1, Scientist 2, and a former\nCDRH employee) as follows: \xe2\x80\x9cThe above listed subjects appear to be the point men. All\ncommunications amongst all the subjects filter through one or all of these three primary\nsubjects.\xe2\x80\x9d\n        Scientist 3, Scientist 4, and Scientist 5 were included on the list of secondary subjects; the\nreport summarizes their communications as follows:\n        The secondary subjects listed above are in constant communication amongst\n        themselves and the primary subjects via FDA email, Yahoo Mail and Gmail.\n        Communications involve review, editing, compilation, production or distribution\n        of verbiage, documentation, and information pertaining to medical reviews,\n        current investigations, claims against HHS/FDA, release of information to the\n        press and external organizations.\n\n       The report included hyperlinks labeled \xe2\x80\x9cView All instances of the above noted in order\nby date\xe2\x80\x9d that linked to screen shots showing some of the data the report identified.\n\nComputer Monitoring of Additional Scientists Begins\n\n        Partly on the basis of information discovered while monitoring Scientist 1, including\nemail contacts between Scientist 1 and others, CDRH\xe2\x80\x99s Executive Officer told OIM staff to\nexpand the monitoring, and Spector then was installed on additional FDA computers used by\nScientist 2 (on May 24, 2010) and Scientist 3, Scientist 4, and Scientist 5 (all on June 30, 2010).\n         According to CDRH\xe2\x80\x99s Executive Officer, the decision to expand the monitoring was a\ngroup decision made by her, the CIO, the Assistant Commissioner for Management, CDRH\xe2\x80\x99s\nthen Associate Director, Office of In Vitro Diagnostic Device Evaluation and Safety, and\nothers. 14 We found no evidence that this group considered employing any investigative\ntechnique other than computer monitoring.\n      On June 25, 2010, an OGC attorney discussed expanding the monitoring in an e-mail to\nFDA\xe2\x80\x99s Chief Counsel. \xe2\x80\x9c[Attorney to attorney communication redacted.]\xe2\x80\x9d\n       In the CDRH Director\xe2\x80\x99s June 28, 2010, letter to OIG (discussed in footnote 11\nabove), the CDRH Director described what was discovered during the monitoring:\n\n14\n  CDRH\xe2\x80\x99s then Associate Director, Office of In Vitro Diagnostic Device Evaluation and Safety, disputed her\ninvolvement in computer-monitoring decisions, stating she did not know who at FDA was being monitored.\n\n                                                                                                   13 | P a g e\n\x0c\xe2\x80\x9cSpecifically, [the documents discovered during the computer monitoring] show that the\nemployee at issue and other employees have recently disclosed nonpublic information to\nat least one former FDA employee\xe2\x80\xa6. We have also discovered e-mails that the\nemployee in question sent to unauthorized recipients which appear to have attachments\nlikely containing confidential commercial information.\xe2\x80\xa6\xe2\x80\x9d\n          A July 25, 2010, email from the CDRH Director to the Deputy FDA Commissioner\nstated:\n          \xe2\x80\xa6after several weeks of monitoring IT security and FDA technical experts\n          identified several instances in which [Scientist 1] provided confidential\n          information about medical devices under review to [a former FDA scientist] when\n          [that former FDA scientist] was no longer an FDA employee. In some instances\n          the medical devices did not pertain to [this former FDA scientist\xe2\x80\x99s] area of\n          expertise. Other CDRH employees were participants in these email exchanges.\n          As a result, FDA expanded its monitoring to the computers of four other CDRH\n          staff who were parties to the disclosure of confidential information.\n\nProcedures Used During FDA\xe2\x80\x99s Computer Monitoring\n\n        As discussed above, screen shots that CNI staff identified as showing potential\nindications of ghostwriting or unauthorized disclosures were shared with CDRH\xe2\x80\x99s then Associate\nDirector, Office of In Vitro Diagnostic Device Evaluation and Safety, for further review. The\nthen Associate Director also made written lists of filenames of monitored emails and screen shots\nthat appeared to contain CCI or details of internal processes being sent outside the FDA\ncomputer network and gave these lists to CDRH\xe2\x80\x99s Executive Officer asking her to confirm with\nFOIA experts whether the information identified as CCI was actually CCI. The then Associate\nDirector identified some of the emails as going to individuals who no longer worked for FDA, as\nwell as Members of Congress; when she talked to the CDRH Director about information going\noutside FDA, he expressed his understanding that employees have the right to share CCI with the\npress if they think there are immediate, urgent public health concerns that are being ignored by\nFDA.\n        As with Scientist 1, FDA used EnCase to take images of the other scientists\xe2\x80\x99 computers\nand network memory several times, usually in an attempt to recover something seen on a Spector\nscreen shot. For instance, CNI staff used EnCase after it observed that numerous potential FDA\nfiles were being copied and transferred to a thumb drive docked into Scientist 3\xe2\x80\x99s FDA computer\n(when a thumb drive is docked into an FDA asset, the thumb drive becomes part of the FDA\nnetwork).\n\n\n                                                                                     14 | P a g e\n\x0cFDA Consultations With OGC\n\n        With no agency policies in place, FDA and CDRH officials had no written guidance to\nfollow to ensure that any computer monitoring would be conducted in accordance with\napplicable laws and in a manner that protected the rights of employees. 15 We found no evidence\nof consultation between FDA and OGC prior to the decision to conduct computer monitoring of\nScientist 1 in April 2010. FDA stated that after monitoring began, OGC was consulted on a June\n2010 draft referral from CDRH to OIG on issues related to computer monitoring. Also in\napproximately June 2010, a staff attorney in the OGC Food and Drug Division (FDD), at the\ndirection of the Associate General Counsel of FDD, wrote a legal memorandum (the Draft OGC\nMemo), which addressed some of the legal issues raised by the computer monitoring. 16\n       The Draft OGC Memo is relevant to our review, even though the latest version of it was\ndated July 8, 2010\xe2\x80\x94several weeks after the initiation of the computer monitoring of Scientist\n1\xe2\x80\x94because it is the only document from an attorney provided to OIG evidencing FDA\xe2\x80\x99s and\nCDRH\xe2\x80\x99s understanding of the applicability of legal limits on the conduct of searches of\nGovernment employees. The legal advice provided in the memorandum was limited in scope\nand did not address the applicability of all the relevant laws to all the targeted scientists.\n\nCDRH Takes Action as a Result of Monitoring\n\n        As a result of the information collected during the monitoring, Scientist 1 was put on\nadministrative leave on July 7, 2010, and his term appointment expired on July 31, 2010.\nScientist 4 was given advance notice of removal from Federal service on December 6, 2010, for\nunauthorized release of agency information; however, Scientist 4 was temporarily reappointed on\nFebruary 17, 2012, and her reappointment remained effective through September 25, 2013.\nScientist 3\xe2\x80\x99s appointment was not renewed as of November 6, 2010. Scientist 2, who was a\nCommissioned Corps officer, was directed to nonduty with pay status on May 5, 2011, and was\nformally terminated from the Commissioned Corps on October 9, 2011. Scientist 5 remains\nemployed by CDRH.\n\n\n\n15\n   FDA published and periodically updated a Forensic & Incident Response Procedures Manual; however, this\nmanual is a technical document largely based on technical guidance from the Department of Commerce\xe2\x80\x99s National\nInstitute for Standards and Technology. It does not provide guidance to FDA managers on how to conduct\ninvestigations, office searches, or computer monitoring.\n16\n   According to FDA, the Draft OGC Memo was never finalized. FDA told us that it does not know why it was not\nfinalized and that, since the Associate General Counsel of FDD (who directed preparation of that memorandum) no\nlonger works in OGC, FDA would speculate as to neither the reasons for directing preparation of it nor the way in\nwhich it was used. During our review, OIG saw several iterations of this memorandum. The Draft OGC Memo is\nmarked \xe2\x80\x9cprivileged and confidential \xe2\x80\x93 attorney work product.\xe2\x80\x9d\n\n                                                                                                    15 | P a g e\n\x0c        In four letters sent in March and April 2011, CDRH wrote to companies with business at\nCDRH to inform them that CDRH had determined that one of its Office of In Vitro Diagnostics\nemployees had made unauthorized disclosures of their CCI in July or August 2010 via email. In\neach letter, CDRH apologized and made assurances that it had taken appropriate administrative\naction.\n\nII.    FINDINGS\n\n        We found that CDRH had reasonable concern that confidential information, including\npossibly trade secrets and/or CCI, had been disclosed by agency employees without\nauthorization. This concern was reasonable largely because news reports cited internal agency\ndocuments and agency scientists as sources of the confidential information. Indeed, by the\nspring of 2011, CDRH was sufficiently certain that its investigation had turned up evidence of\nsuch unauthorized disclosures that it sent letters of apology to several device manufacturers.\n       We also found that FDA had provided notice to its scientists (and all other users of its\nnetwork) through a network log-on banner that there was no right to privacy on the FDA\ncomputer network and that all data on the network were subject to interception by FDA.\nConsistent with the banner, FDA monitored the scientists\xe2\x80\x99 communications over FDA\xe2\x80\x99s network\nusing computer-monitoring technology that captured communications from both their\nGovernment and personal email accounts. In our interviews of those conducting the computer\nmonitoring and our review of other data sources, we found no evidence that FDA had obtained\nor used passwords to any of the scientists\xe2\x80\x99 private email accounts, nor did we find any evidence\nthat FDA logged into any of the scientists\xe2\x80\x99 computers in order to gain live access as a user of the\ncomputer. The images of private emails that FDA obtained were captured by screen shots taken\nby Spector of the scientists\xe2\x80\x99 use of the FDA network.\n        Because there was no policy in place at FDA or CDRH to ensure compliance with\napplicable laws and restrictions, such as the Fourth Amendment, Title III, and the WPA, it was\nparticularly important for FDA and CDRH to ensure that it understood the full extent of the\nlimits on the agency and the rights of its employees. However, we found no evidence that FDA\nor CDRH planned its investigation or scoped the monitoring with the timely assistance of\ncounsel, who could have advised FDA and CDRH prior to the monitoring on compliance with\nrelevant requirements, such as the Fourth Amendment, criminal prohibitions on the interception\nof electronic communications, and the WPA; there was no policy in place at FDA or CDRH to\nensure compliance with these requirements.\n        The legality of the surveillance under these authorities currently is being litigated, and we\nare not prejudging the outcome. Nevertheless, we find that despite the reasonableness of\nCDRH\xe2\x80\x99s concerns and the explicit language in FDA\xe2\x80\x99s network banner, CDRH should have\n\n                                                                                         16 | P a g e\n\x0cassessed beforehand, and with the assistance of legal counsel, whether potentially intrusive\nEnCase and Spector monitoring would be the most appropriate investigative tools and how to\nensure that the use of these tools would be consistent with constitutional and statutory limitations\non Government searches.\n       For instance, in the absence of existing guidance, CDRH should have considered, and\nsought legal counsel on, the following in advance of the monitoring:\n     1. Did the leaked information implicate criminal prohibitions or merely regulatory ones?\n        (This question is relevant to both the permissibility of the monitoring under the Fourth\n        Amendment and to the applicability of the WPA. See Appendix C.)\n     2. Was FDA\xe2\x80\x99s network log-on banner sufficient to remove all the scientists\xe2\x80\x99 REP, and\n        would the use of EnCase or Spector constitute a search that was justified at its inception\n        and that was of permissible scope? 17\n     3. Were the five scientists whistleblowers under the WPA, and if so, how should the\n        surveillance be conducted to ensure that there would be no WPA-prohibited retaliation? 18\n     4. Was Title III applicable, and if so, did the surveillance fall under an applicable\n        exception?\n         We found no evidence that CDRH or FDA considered these legal questions before\ninitiating surveillance. The only documented legal analysis, namely the Draft OGC Memo, was\nprepared after the surveillance already had begun. While recognizing that the Draft OGC Memo\nwas just that\xe2\x80\x94a draft\xe2\x80\x94it is one of few indications of any contemporaneous consultation with, or\nconsideration by, FDA counsel.\n       Another indicator of the lack of adequate consideration of the implications of the Fourth\nAmendment, in particular, is the lack of documentation supporting both the reasons why EnCase\nand Spector\xe2\x80\x94both of which broadly capture information\xe2\x80\x94were determined to be the most\nappropriate tools and the manner in which the EnCase and Spector searches were scoped.\nSpecifically, we found that the discussion of what investigative technique to use and how to\nscope the monitoring was limited largely to technical discussions with information technology\n17\n   Courts have established that a sufficiently broad network banner can eliminate a Government employee\xe2\x80\x99s REP. It\nis important to note, however, that soon after FDA began its computer monitoring, the United States Supreme Court\ndecided City of Ontario v. Quon, in which the Court\xe2\x80\x99s Fourth Amendment analysis bypassed the question of REP\naltogether and concluded the search was legal after applying the two-part test that the search be justified at its\ninception and permissible in scope. This suggests that a prudent agency would ensure that any monitoring would be\nof permissible scope under O\xe2\x80\x99Connor v. Ortega (see Appendix C), even in cases when the monitored employee has\nno REP.\n18\n   In the wake of revelations about FDA\xe2\x80\x99s monitoring of its scientists, the Office of Special Counsel (OSC) issued\nguidance to Federal agencies stating that \xe2\x80\x9cagency monitoring specifically designed to target protected disclosures to\nthe OSC and IGs is highly problematic.\xe2\x80\x9d\n\n                                                                                                       17 | P a g e\n\x0cprofessionals about the available surveillance technology. In addition, neither CDRH nor FDA\xe2\x80\x99s\nOIM staff could produce or recall the substance of the specifications on how to implement the\nSpector monitoring that were provided by the CNI Team Leader to his subordinate conducting\nthe monitoring. Similarly, although OIG was able independently to identify search terms applied\nwhen CDRH used EnCase to search for relevant material on the scientists\xe2\x80\x99 computers, we found\nno document that explained the relevance of these search terms. The absence of documentation\nconcerning scoping decisions makes it difficult to evaluate the reasonableness of these computer\nsearches.\n         Because CDRH and FDA did not prospectively assess the relative risks involved in\nwhether or how to conduct investigations of potential whistleblowers, such as ensuring that their\ninvestigations were conducted in accordance with laws and regulations, the computer monitoring\nof the five scientists had significant negative consequences for FDA. A timely, fuller, and better\ndocumented consideration of all of these risks may have provided the agency greater protection\nfrom controversy, while demonstrating the agency\xe2\x80\x99s commitment to protecting its employees\xe2\x80\x99\nrights. 19\n\nIII.     RECOMMENDATIONS\n\n        HHS should ensure that its operating divisions (OpDivs) draft and implement policies\nand related procedural internal controls that provide reasonable assurance of compliance with\nlaws and regulations, particularly those governing current and prospective employee monitoring.\nAt a minimum, the internal controls concerning electronic monitoring of employees 20 should\naddress:\n         \xe2\x80\xa2        the agency\xe2\x80\x99s authority to monitor employee communications or access employee\n                  files;\n         \xe2\x80\xa2        protection of the rights of employees and the extent of an employee's expectation\n                  of privacy while using agency IT resources;\n         \xe2\x80\xa2        specific conditions for requesting access to employee communications;\n         \xe2\x80\xa2        defined roles and responsibilities for initiating, reviewing, and approving requests\n                  to access employee communications and data; and\n\n19\n   On June 17, 2013, all HHS employees received an email both describing the Department\xe2\x80\x99s authority and ability to\nmonitor the electronic activities that take place on its networks and equipment and notifying employees of the laws\nin place to protect Federal employees who reveal instances of waste, fraud or abuse within the Federal Government,\ncommonly referred to as the \xe2\x80\x9cWhistleblower Protections laws.\xe2\x80\x9d The email included a notice regarding the\nWhistleblower Protection Enhancement Act of 2012.\n20\n   This includes, but is not limited to, current and former Federal employees, contractors, interns, and visitors that\nare provided access to HHS information technology and data.\n\n                                                                                                        18 | P a g e\n\x0c        \xe2\x80\xa2        retention of records that document the initiation, review, and approval of\n                 electronic monitoring, including opinions and recommendations of legal counsel.\n         At the time of FDA\xe2\x80\x99s investigation of the five scientists, neither the Department, FDA,\nnor CDRH had policies or procedures in place that governed the monitoring of agency\nemployees\xe2\x80\x99 use of Government IT resources. After public revelations that FDA had monitored\nits employees, HHS implemented a Department-wide policy regarding such computer\nsurveillance. Issued on June 26, 2013, HHS\xe2\x80\x99s \xe2\x80\x9cPolicy for Monitoring Employee Use of HHS IT\nResources\xe2\x80\x9d requires that its agencies \xe2\x80\x9cestablish policies and procedures that will strengthen the\nability to effectively document, analyze, authorize, and manage requests for HHS employee\ncomputer monitoring.\xe2\x80\x9d The policy states that \xe2\x80\x9c[w]hile the warning banner gives OpDivs the\nauthority to monitor employee use of IT resources, it is each OpDiv\xe2\x80\x99s responsibility to carry out\nmonitoring in a fashion that protects employee interests and ensures the need for monitoring has\nbeen thoroughly vetted and documented.\xe2\x80\x9d The policy gave the agencies, including FDA, 90 days\nto develop and deliver written policies and procedures that meet requirements laid out in the\nHHS policy. These requirements include, among other things: maintaining advanced written\nauthorization of any computer monitoring, consulting with OGC to ensure the proposed\nmonitoring complies with all legal requirements, and documenting the basis for approving\nrequests to conduct computer monitoring.\n        FDA issued its interim computer-monitoring policy on September 26, 2013. In\nparticular, the FDA\xe2\x80\x99s interim policy:\n            \xe2\x80\xa2    establishes procedures requiring authorization by senior management and\n                 consultation with legal counsel;\n            \xe2\x80\xa2    distinguishes between monitoring conducted at the behest of law enforcement and\n                 monitoring conducted for management purposes to minimize interference with\n                 law enforcement investigations;\n            \xe2\x80\xa2    requires monitoring to be narrowly tailored in time, scope, and degree to\n                 accomplish the monitoring\xe2\x80\x99s objectives; and\n            \xe2\x80\xa2    requires that the authorization describe the reason, factual basis, and scope of the\n                 monitoring.\n       Given this, FDA\xe2\x80\x99s interim policy addresses our five recommendations outlined above. 21\nHHS should determine whether all other individual OpDiv policies meet our recommendations\nabove. HHS also should regularly review and, as necessary, update its Department-wide\n\n21\n   We note that both the HHS policy and the FDA policy are ambiguous with respect to their applicability to\ncircumstances in which the misconduct being investigated might not violate a written policy. HHS and FDA should\nensure that their managers have adequate guidance in such cases.\n\n                                                                                                  19 | P a g e\n\x0cmonitoring policies to ensure they are compatible with new and emerging technologies and\nmethodologies. Information technology is continually changing, and a static monitoring policy\ncould fail to address key implementation issues as capabilities evolve.\n\nIV.    DEPARTMENT RESPONSE\n\n        HHS concurred with all of the recommendations in this report. See Appendix D for the\nfull text of HHS\xe2\x80\x99s comments. HHS also offered technical comments that we incorporated as\nappropriate.\n\n\n\n\n                                                                                   20 | P a g e\n\x0cAPPENDIX A: Methodology\n\n       This review was conducted by a 12-member team (the Review Team) composed of\nindividuals from OIG\xe2\x80\x99s Immediate Office, Office of Audit Services, Office of Counsel to the\nInspector General, Office of Evaluation and Inspections, Office of Investigations, and Office of\nManagement and Policy.\n        We interviewed current and former employees of FDA for this report, including the\nCDRH Director, the CDRH Executive Officer, the then Associate Director in CDRH\xe2\x80\x99s Office of\nIn Vitro Diagnostic Device Evaluation and Safety, the FDA OCI Office of Internal Affairs SAC,\nan OCI Office of Internal Affairs Assistant SAC, and FDA\xe2\x80\x99s former Chief Information Security\nOfficer during the relevant time period. We also interviewed two employees of CNI, an FDA\ncontractor: the CNI Team Leader and the CNI Team Member.\n       We were unable to interview certain individuals with information relevant to our review.\nFDA\xe2\x80\x99s former CIO, who is no longer in Federal service, declined through counsel to speak with\nthe Review Team. Similarly, an attorney collectively representing the five scientists subject to\ncomputer monitoring did not respond to our repeated information requests.\n         The Review Team also collected information and documents from FDA on topics that\nincluded policies regarding the use of software to engage in computer surveillance of FDA\nemployees, surveillance software files and logs, and consultations FDA engaged in prior to\ninitiating monitoring. In all, we received more than six terabytes of information that included\ndocuments, emails, and screen shots.\n\n       Throughout this document, when an assertion is made, it is based on information\ngathered from witness interviews and other evidence reviewed by the Review Team.\n\n\n\n\n                                                                                       21 | P a g e\n\x0cAPPENDIX B: CDRH and the Premarket Application Process\n\n         CDRH is responsible for ensuring the safety and effectiveness of medical devices.\nDevices vary in complexity and application, ranging from simple tongue depressors to complex\npacemakers. CDRH assigns each type of device one of three regulatory classifications (Class I,\nII, or III), which are based on the level of control needed to ensure the safety and effectiveness of\nthe device for patients and other end users. Regulatory control increases from Class I to Class\nIII. A device\xe2\x80\x99s risk classification determines its premarket review process. 22\n       CDRH must approve Class III medical devices prior to their marketing under either the\nPremarket Approval process or the Premarket Notification (the latter is referred to as \xe2\x80\x9c510(k)\xe2\x80\x9d)\nprocess. Premarket Approval review is the most stringent process for obtaining FDA approval to\nmarket a device and is required by statute for devices that support or sustain human life, are of\nsubstantial importance in preventing impairment of human health, or present a potentially\nunreasonable risk of illness or injury. 23\n         If a Class III device is not required to undergo Premarket Approval, the manufacturer\nmust submit to CDRH a 510(k) application. The 510(k) is a faster and less stringent premarket\nreview process than Premarket Approval. Submissions under the 510(k) process must\ndemonstrate that a device to be marketed is substantially equivalent to a predicate device that is\nalready legally marketed in the United States. 24 CDRH determines a device is substantially\nequivalent to a predicate device if the 510(k) submission demonstrates that it has the same\nintended use and technological characteristics as the predicate. A device with technological\ncharacteristics that differ from the predicate device may also be declared substantially equivalent\nif the information in the 510(k) submission demonstrates that the device is at least as safe and\neffective as the predicate and does not raise new questions of safety and effectiveness. 25\n        Scientists who are either CDRH staff or contract employees determine which regulatory\nclass a device falls into, whether a device should be reviewed under the Premarket Approval or\n510(k) process, and whether a device should be approved, or cleared.\n\n\n\n\n22\n   See 21 C.F.R. \xc2\xa7 860.3.\n23\n   See the Federal Food, Drug, and Cosmetic Act \xc2\xa7\xc2\xa7 515(a) and 513(a)(1)(C), 21 U.S.C. \xc2\xa7\xc2\xa7 360e(a) and\n360c(a)(1)(C).\n24\n   See 21 CFR \xc2\xa7 807.92(a)(3).\n25\n   FDA, CDRH, Guidance on the CDRH Premarket Notification Review Program 6/30/86 (K86-3), 510(k)\nMemorandum #K86-3.\n\n                                                                                                22 | P a g e\n\x0cAPPENDIX C: Applicable Legal Criteria\n\n       The FDA scientists\xe2\x80\x99 communications with outside entities and FDA\xe2\x80\x99s computer\nmonitoring implicate a variety of legal restrictions relating to disclosure of information and to\nprivacy. This appendix summarizes those legal principles, which are relevant to determining\nwhether the conduct of the FDA scientists provided a sufficient legal basis for FDA to engage in\nthe computer monitoring in the manner and scope that it did.\n\nReasonableness of a Computer Search\n\n       The Fourth Amendment\xe2\x80\x99s protections against unreasonable searches and seizures apply\nwhere an individual has REP. Without REP, a search by the Government is not a search for the\npurposes of the Fourth Amendment. Where there is REP, the Government generally must have\nprobable cause and obtain a warrant for a search to be reasonable. In general, Government\nemployees who are notified that their employer has retained rights to access or inspect\ninformation stored on the employer\xe2\x80\x99s computers can have no REP in the information stored\nthere.\n       The Supreme Court\xe2\x80\x99s decision that governs the constitutionality of a search in a\ngovernment office is O\xe2\x80\x99Connor v. Ortega, 480 U.S. 709 (1987). In Ortega, the Supreme Court\ndescribes the factors for determining REP:\n       Individuals do not lose Fourth Amendment rights merely because they work for\n       the government instead of a private employer. The operational realities of the\n       workplace, however, may make some employees\xe2\x80\x99 expectations of privacy\n       unreasonable when an intrusion is by a supervisor rather than a law enforcement\n       official. Public employees\xe2\x80\x99 expectations of privacy in their offices, desks, and file\n       cabinets, like similar expectations of employees in the private sector, may be\n       reduced by virtue of actual office practices and procedures, or by legitimate\n       regulation.\n\nOrtega, 480 U.S. at 717.\n       Therefore, whether the scientists had REP in their use of FDA computer resources \xe2\x80\x94\nsuch as computer hard drives, external memory devices, and network storage \xe2\x80\x94 is determined on\na case-by-case basis and will be influenced by such facts as the presence and wording of FDA\xe2\x80\x99s\nnetwork banner.\n       Where a public employee has REP, there are several exceptions to the probable cause and\nwarrant requirements. Among these is the exception for workplace searches conducted for\npurposes unrelated to the enforcement of criminal laws. The Supreme Court held in Ortega that\n\xe2\x80\x9cpublic employer intrusions on the constitutionally protected privacy interests of government\n\n                                                                                       23 | P a g e\n\x0cemployees for non-investigatory, work-related purposes, as well as for investigations of work-\nrelated misconduct, should be judged by the standard of reasonableness under all the\ncircumstances.\xe2\x80\x9d Further, the search must be justified at its inception and permissible in scope. A\nsearch is justified at its inception if there are reasonable grounds, based on all of the\ncircumstances, for suspecting that the search will (1) turn up evidence that the employee engaged\nin work-related misconduct or (2) that the search is necessary for a noninvestigatory work-\nrelated purpose, such as to retrieve a file when the employee is not available. It is permissible in\nscope where the measures adopted are reasonably related to the objectives of the search and not\nexcessively intrusive in light of the nature of the misconduct. Ortega, 480 U.S. at 726. The\nmeasures, however, need not be the least intrusive measures practicable. 26\n        It is important to note that in one of the Supreme Court\xe2\x80\x99s recent consideration of a\nworkplace search of a Government employee\xe2\x80\x99s use of agency information resources, the Court\navoided the question of REP altogether and proceeded to apply the two-part test that the search\nmust be justified at its inception and permissible in scope. 27 Because of the uncertain or\nspeculative nature of REP determinations, application of the two-part test in all circumstances\nprior to the initiation of a workplace search, such as computer surveillance, could help limit the\nGovernment employer\xe2\x80\x99s litigation vulnerability.\n\nInterception of Electronic Communications\n\n        FDA\xe2\x80\x99s computer monitoring potentially implicates criminal prohibitions on the\ninterception or acquisition of electronic communications without process because Spector\ncaptured images of e-mails being prepared or dispatched by the scientists using both their\npersonal and FDA e-mail accounts. Title III, as amended by the Electronic Communications\nPrivacy Act of 1986, governs the authority of the Government to intercept electronic\ncommunications, such as email. Title III requires that the Government obtain a court order prior\nto engaging in real-time interception of email, as would be required for real-time interception of\ntelephone calls. Among the exceptions to the court order requirement is the \xe2\x80\x9cconsent exception,\xe2\x80\x9d\nwhich requires an analysis similar to establishing whether REP exists. In particular, the consent\nexception analysis would be used to determine whether an individual gave consent by agreeing\nto abide by the terms of FDA\xe2\x80\x99s computer network banner when logging onto FDA\xe2\x80\x99s network.\n        The law also limits the Government\xe2\x80\x99s ability to obtain \xe2\x80\x9cstored communications.\xe2\x80\x9d\nAmendments made to Title III by the Stored Communications Act require the Government to\nissue a subpoena to an email service provider to acquire emails that have been retrieved by the\n\n26\n     See City of Ontario v. Quon, 130 S. Ct. 2619, 2632 (2010).\n27\n     Quon, 130 S. Ct. at 2630.\n\n                                                                                        24 | P a g e\n\x0cholder of the email account. To acquire emails that have not been retrieved, the Government\nmust either issue a subpoena or obtain a warrant depending on how long the email has been in\nelectronic storage with the email service provider. These provisions are relevant only if FDA\nacquired stored personal emails from the five scientists\xe2\x80\x99 email service providers.\n\nThe Whistleblower Protection Act\n\n        Although a workplace search may be justifiable under existing Fourth Amendment\nprinciples and under Federal prohibitions on disclosure of information, searches conducted\nagainst those who make disclosures to, for example, Congress or to the press may implicate the\nprohibition in the WPA, at 5 U.S.C. \xc2\xa7 2302, against retaliation.\n        Subsequent to public revelations of the FDA\xe2\x80\x99s surveillance of its five employees, OSC\nissued a memorandum in which it stated that \xe2\x80\x9cagency monitoring specifically designed to target\nprotected disclosures to OSC and IGs is highly problematic.\xe2\x80\x9d This admonition was based in part\non the provisions of the WPA, which prohibit taking or not taking any personnel action with\nrespect to a Government employee because of any disclosure of information that the employee\nreasonably believes to evidence violations of law or regulation, waste and abuse, or a specific\ndanger to public health. Section 2302 defines \xe2\x80\x9cpersonnel action\xe2\x80\x9d to include disciplinary or\ncorrective actions or any other significant change in working conditions and is therefore\nsufficiently broad to include targeting an employee for computer surveillance. Notably, the\nstatute does not specify to whom a disclosure must be made for whistleblower protections to be\navailable, and thus the statute has been interpreted to cover disclosures made to media outlets, in\naddition to OIGs, OSC, and Congress. 28\n    Section 2302 contains one important caveat regarding the applicability of whistleblower\nprotections: an agency is prohibited from taking (or not taking) a personnel action only when the\ndisclosure made by the employee is not specifically prohibited by law. Therefore, the statutory\nprohibitions on certain disclosures, described immediately below, are relevant to the applicability\nof this caveat to FDA\xe2\x80\x99s monitoring of its employees.\n\nProhibitions on the Disclosure of Information by FDA Employees\n\n       Several statutory and regulatory provisions limit the ability of FDA employees to share\nagency information with others outside the agency. Violation of any of these provisions may\nprovide a legitimate basis for an internal investigation. The Federal criminal statute generally\n\n28\n  See e.g., Horton v. Department of the Navy, 66 F.3d 279 (Fed. Cir. 1995) (stating, \xe2\x80\x9cThe purpose of the\nWhistleblower Protection Act is to encourage disclosure of wrongdoing to persons who may be in a position to act\nto remedy it, either directly by management authority, or indirectly as in disclosure to the press.\xe2\x80\x9d).\n\n                                                                                                    25 | P a g e\n\x0climiting disclosures, at 18 U.S.C. \xc2\xa7 1905, provides for removal and for criminal penalties for the\ndisclosure of trade secrets and confidential business information where such disclosure is not\nauthorized by law. The Federal Food, Drug, and Cosmetic Act has additional criminal\nprovisions at 21 U.S.C. \xc2\xa7\xc2\xa7 331(j) and 333, which prohibit the disclosure of trade secrets (but not\nconfidential business information) submitted to the FDA in accordance with FDA approval\nprocesses. The prohibition in section 331(j) does not apply to disclosures made to Congress or\nits committees, but it does apply to disclosures to the media. FDA implemented and expanded\non section 331(j) in its regulation at 21 CFR \xc2\xa7 20.61. The regulation states that neither trade\nsecrets nor CCI is available for public disclosure outside of the procedures set forth in the\nregulation and provides definitions for \xe2\x80\x9ctrade secrets\xe2\x80\x9d and \xe2\x80\x9cCCI.\xe2\x80\x9d\n        Finally, FDA has implemented disclosure restrictions with respect to PMAs. \xe2\x80\x9cThe\nexistence of a PMA file may not be disclosed by FDA before an approval order is issued to the\napplicant unless it previously has been publicly disclosed or acknowledged.\xe2\x80\x9d 21 CFR \xc2\xa7 814.9.\nFurthermore, \xe2\x80\x9cIf the existence of a PMA file has not been publicly disclosed or acknowledged,\ndata or information in the PMA file are not available for public disclosure.\xe2\x80\x9d Similarly, 21 CFR \xc2\xa7\n807.95 prohibits the disclosure of the existence of a PMA, except under the specified\ncircumstances.\n\n\n\n\n                                                                                       26 | P a g e\n\x0cAppendix D: Department Comments\n\n\n\n\n                                  27 | P a g e\n\x0cAppendix D, continued\n\n\n\n\n                        28 | P a g e\n\x0cAppendix D, continued\n\n\n\n\n                        29 | P a g e\n\x0c"